magiclanternfandomcom-20200223-history
7D internals
7d updates Update '(8Jan2012): managed to compute updater2 checksum, but not sure it is a useful progress... 7D is dual Digic so they are 2 updaters: Fir_tool 0.6 (8Jan2012) fileLen = 0xc0170c ---.fir header--- 0x000: modelId = 0x80000250, (7D, DryOS) 0x010: version = 1.2.3 0x020: checksum = 0xa0577e5f checksum computing 0x0-0xc0170c is OK! 0x024: updater1 header = 0xb0 0x028: updater1 offset = 0x120 0x02c: updater2 offset = 0x1a65d0 0x030: firmware offset = 0x214390 0x034: 0xffffffff 0x038: embedded file size = 0xc0170c 0x03c: 0x0 0x040: sha1 seed = 0x43be8381 0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x002142e0 0x060: 0x214390 0x064: firmware length = 0x9ed37c 0x068: updater1 hmac-sha1 = 0b6640b60071040abb10ea30c99aabe05566665a 0x088: firmware hmac-sha1 = 498586e645b182c1aaeec6aa8b45d570dc2b6cfb ---updater1 header--- 0x0b0: updater1 length = 0x1a64b0. starts at 0x120 0x0b4: 0x1a64ac 0x0b8: 0x0 0x0bc: xor seed value = 0xec33fb74 0x120: --- updater1 (ciphered) --- ---updater2 header--- 0x1a65d0: (+0x000), modelId = 0x80000250, (7D, DryOS) 0x1a65e0: (+0x010), version = 1.2.3 0x1a65f0: (+0x020), checksum? = 0xfd545a3e ' checksum computing 0x1a65d0-0x214390 is OK! 0x1a65f4: (+0x024), 0xb0 0x1a65f8: (+0x028), 0x120 0x1a65fc: (+0x02c), ffffffff ffffffff ffffffff 0x1a6608: (+0x038), updater length (including header) = 0x6ddc0. starts at 0x1a65d0 0x1a6680: (+0x0b0), updater length = 0x6dca0. starts at 0x1a66f0 0x1a6684: (+0x0b4), 0x6dc9c 0x1a6688: (+0x0b8), 0x0 0x1a67ac: (+0x0bc), xor seed value = 0xfbeac87f 0x1a66f0: (+0x120), --- updater2 (ciphered) --- ---firmware header--- fir_tool.py can be used to extract the 2 updaters. Officially, updater1 is called K250SU (Slave Updater) and updater2 is K250MU (Master Updater). Similarly, main firmware (patch#8) is called K250S and second one (patch#2) is called K250M. you can notice the addresses both at 0xf8010000 (copy of 0xff010000), but K250S loads at 0xff010000 and K250M at 0xff810000. Dump_fir 0.3 (01Jan2011) fileLen = 0x9ed300 0x000: checksum = 0xc3153d27 0x004: 0x00000000 0x008: 0x00000002 0x00c: 0x00000000 0x010: nb_record = 0xa 0x014: table_offset = 0x20 0x018: nb_record = 0x18 0x01c: size_after = 0x9ed1f0 0x020: ---patches table--- + tag + foffset + size + moffset --------------------------------------------- 0x01: 0x0101 0x00000110 0x00034fac 0xf8300000 0x02: 0x0101 0x000350bc 0x001be874 0xf8010000 <-K250M (Master) 0x03: 0x0200 0x001f3930 0x00000521 0x00000000 0x04: 0x0200 0x001f3e52 0x000245bf 0x00000000 0x05: 0x0200 0x00218412 0x0008b7e8 0x00000000 0x06: 0x0100 0x002a3bfa 0x00034fac 0xf8910000 0x07: 0x0100 0x002d8ba6 0x001f0b30 0xf85b0000 0x08: 0x0100 0x004c96d6 0x00523aec 0xf8010000 <-K250S (Slave) 0x09: 0x0103 0x009ed1c2 0x0000009d 0x00000000 0x0a: 0x0102 0x009ed260 0x0000009f 0x00000000 0x110: ---patch#1--- Firmwares analysis Master Firmware (K250M, 0xff810000, 1.7 Mbytes) *No GUI functions *has FIO_* funtions, with a RequestRPC call *has MAC_* functions *hotplug task (USB/HDMI/VIDEO/Mic/TOE) *... Slave Firmware (K250S, 0xff010000, 5.1 Mbytes) *has GUI functions *has FIO_* funtions *has SD/CF read/write funtions *MVP_* (MoviePlayer), MOVW_* (MovieFileWriter) *MVR_* (MovieRecord), MOVR_* (MovieFileReader) *PD_*, FM_*, FC_*, Ceres functions *LiveviewAE, LiveviewAF *ASIF, Audio, USB, DryShell *Vram, Bitmap *VFAT, exFAT *Pre/Rear/Front Develop *FA_* (Factory), FaceDetection *SVG code, MAC_*, CRP_*, DirectPrint *LensCom, PTP *H264E, JPCORE, EDID *LOT/DEC/HST/CPY/RSZ/DDD/SUB *HASH, ENGine LED (works in updater1 context) unsigned int *led_addr = 0xC022D06C; *led_addr = 0x800C00; *led_addr = 0x138000; // drive_led_on *led_addr = 0x800C00; *led_addr = 0x38400; // led_off in bootcode. does not work in updater1 FFFF53C0 LDR R4, =0xC0223000 FFFF53C4 MOV R1, #0x46 // on FFFF53C8 STR R1, R4,#0x2C FFFF5434 MOV R1, #0x44 FFFF5438 STR R1, R4,#0x2C